cancan skip_authorization_check for Devise authentication
Because anyone can sign up and then log in,... and because a user isn't identified for roles until after log in, doesn't it make sense to skip authorization_check for Devise?
Going on that premise, i inherit from the Devise registration controller with this registrations_controller and placed it in the controller directory.
class Users::RegistrationsController < Devise::RegistrationsController
skip_authorization_check
end
change to the routes file:
devise_for :users, :controllers => { :registrations => "registrations" }
I'm missing something though:
This action failed the check_authorization because it does not authorize_resource. Add skip_authorization_check to bypass this check.
Thanks for your help.
Answer
The easy solution
check_authorization :unless => :devise_controller?
If you have to put check_authorization in every controller manually at some point you will forget and open a security hole in your app. It's better to explicitly whitelist controllers that don't need auth by cancan.
This is made clear in the CANCAN docs at
https://github.com/ryanb/cancan/wiki/Ensure-Authorization
EDIT
class ApplicationController < ActionController::Base
check_authorization :unless => :do_not_check_authorization?
private
def do_not_check_authorization?
respond_to?(:devise_controller?) or
condition_one? or
condition_two?
end
def condition_one?
...
end
def condition_two?
...
end
end